WEBINAR – Dept. of Health & Human Services HIPAA Audits: How to Prepare

Our thanks to the team at healthcareinfosecurity.com for asking CynergisTek to share its firsthand experience with the OCR HIPAA Audit Program.

Friday – June 29, 2012  3:30 PM Eastern (12:30 PM Pacific)Duration: 90 Minutes

Wednesday – July 11, 2012  1:00 PM Eastern (10:00 AM Pacific)Duration: 90 Minutes

 A good way to prepare for federal HIPAA compliance audits is to learn from the experiences of the first organizations audited earlier this year.

This webinar will feature timely insights from a consultant who observed first-hand an audit at a hospital that was one of the 20 initial sites audited under the Department of Health and Human Services’ Office for Civil Rights’ new program. Another 95 sites will be audited by year’s end, and most have yet to be notified.

Join us for this exclusive session, when you’ll gain a clear understanding of:

• The audit process and protocol and how to prepare for the experience;
• The level of rigor in the audit process and the expectations of the auditors;
• The essential steps to take to prepare staff, including insights on how to successfully interact with the auditors.

Background

The HITECH Act called for HIPAA compliance audits as part of an effort to help ensure compliance with its privacy and security provisions. The HHS Office for Civil Rights has completed the first 20 pilot audits, and it plans to complete another 95 by the end of this year.

Those to be audited will be notified in phases in months ahead. How can you help ensure your organization is well-prepared if it’s selected? By learning from the experiences of those who’ve been through the audit experience.

This webinar will feature timely insights from an experienced consultant who aided a client with its audit, from start to finish.

The protocol for these assessments presents a rigorous audit experience that emphasizes the need for readiness, consultant Mac McMillan stresses.

McMillan’s experience advising a client who was audited provided valuable direct visibility into how these audits are conducted, the expectations of the auditors and the process. This session is designed to chronicle that experience and provide insights into how to improve your readiness posture.

In this webinar, you’ll learn:

• What the audit process looks like and what to expect;
• How to prepare for the document request requirements;
• How to prepare your staff for successful interaction with the auditors;
• How to prepare all your departments for the audit process;
• How to review your information security program to understand weaknesses;
• How to prepare your response.

OCR Publishes its HIPAA Audit Protocol

The industry has been eager for the release of the OCR’s HIPAA Audit Protocol and our wait is over. Today, without fanfare, OCR posted the protocol to its website here: http://ocrnotifications.hhs.gov/hipaa.html

All told, the protocol enumerates 165 areas of performance evaluation – 77 dedicated to the HIPAA Security Rule and 88 dedicated to the HIPAA Privacy and Breach Notification Rules. The protocol cites the specific section of the HIPAA Rules, the established performance criteria, the key activity and the audit procedures.  As we experienced in working with our client, one of the first 20 organizations audited, the audit procedures are largely inquiries as to whether, first, policies and supporting documentation exist, and second, whether processes and practices consistent with those policies can be observed.

That said, for organizations looking for a better understanding of what constitutes acceptable performance, or ranges of acceptable performance as we often see in other types of industry audits, the published protocol may still leave the industry wanting for more explicit guidance.

For example, the single most significant HIPAA Security Rule finding of deficiency across the first 20 audits was in the area of user activity monitoring, as reported by OCR’s Linda Sanches at the OCR/NIST conference on June 6, 2012.  In reviewing the audit protocol, here are some excerpts associated with user activity monitoring:

Performance Criteria:  §164.308(a)(1)(ii)(D):Security Management Process – Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Key Activity: Develop and Deploy the Information System Activity Review Process

Audit Procedure: Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices. Determine if the covered entity policy and procedures have been approved and updated on a periodic basis.

Performance Criteria: §164.312(b) Audit Controls – Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Key Activities: Determine the Activities that Will be Tracked or Audited, Select the Tools that Will be Deployed for Auditing and System Activity Reviews, Develop and Deploy the Information System Activity Review/Audit Policy, Develop Appropriate Standard Operating Procedures

Audit Procedure: 

Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI.

Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information.

Inquire of management as to whether a formal or informal audit policy is in place to communicate the details of the entity’s audits and reviews to the work force. Obtain and review formal or informal policies and procedures and evaluate the content in relation to the specified criteria to understand whether a formal audit policy is in place to communicate the details of the entity’s audits and reviews to the work force. Obtain and review an email, or some form of communication, showing that the audit policy is communicated to the work force. Alternatively, a screenshot of the audit policy located on the entity’s intranet would suffice.

Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management’s procedures in place to determine the systems and applications to be audited and how they will be audited.

While this information is certainly helpful, many of our clients want to know how many patient records they should be auditing, how many user accounts they should be auditing, how frequently audits should be conducted, what constitutes acceptable monitoring practice, etc. The performance criteria in the protocol are just not that specific, despite the industry’s desire for more explicit guidance.

Another area of deficiency that both OCR and KPMG have commented on publicly is the performance of risk assessment among the first 20 audited organizations.  The protocol offers the following:

Performance Criteria: §164.308(a)(1): Security Management Process §164.308(a)(1)(ii)(a) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Key Activity: Conduct Risk Assessment

Audit Procedure: Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI. Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis. Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Again, so many of our clients want to understand what “periodic basis” really means.  Is that annually?  What kind of change in the environment necessitates an update in the risk assessment?  One thing is clear from the audit procedure; covered entities need to know where ePHI is across the enterprise.  This is not something that can be accomplished manually if the ePHI discovery is going to be accurate.

Over the coming days, there are sure to be many articles, editorials, discussions and blog posts about the protocol and how it can best be employed to help organizations improve their privacy and security program performance.  We look forward to your questions and comments.

On the heels of our client’s audit, CynergisTek, in partnership with Davis Wright Tremaine partner, Adam Greene, established a portfolio of OCR audit readiness and investigation response services.  Our team will go about the work of further mapping the content of the protocol to our many lessons already learned to best serve our clients and the industry at large.

10 of the largest data breaches in 2012 … so far

Republished From Healthcare IT News on June 05, 2012 | Michelle McNickle, Web Content Producer

We’re six months into 2012, and numerous headlines have showcased some large health data breaches. Whether it’s outright theft, the actions of a disgruntled employee or overall carelessness, 2012 is already chock-full of noteworthy breaches. And according to recent research, the problem is only growing.

Here are 10 of the largest data breaches in 2012… so far.

1. Utah Department of Health. On March 30, approximately 780,000Medicaid patients and recipients of the Children’s Health Insurance Plan in Utah had personal information stolen after a hacker from Eastern Europe accessed the Utah Department of Technology Service’s server. Initially, the number of those affected stood at 24,000, yet, according to UDOH, that number grew to 780,000, with Social Security numbers stolen from approximately 280,000 individuals and less-sensitive personal data stolen from approximately 500,000 others. The reason the hacker was able to access this information? Ultimately, it was due to a weak password.

2. Emory Healthcare. On April 18, Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. The 10 disks held information on surgical patients treated between 1990 and 2007 at Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Of the 315,000 patient files, approximately 228,000 included Social Security numbers, with other sensitive information at risk including names, dates of surgery, diagnoses, and procedure codes.

3. South Carolina Department of Health. An employee of the South Carolina Department of Health and Human Services was arrested on April 19 after he compiled data on more than 228,000 people and sent it to a private email account. Approximately 22,600 people had their Medicaid ID numbers taken, which were linked to their Social Security numbers. Others had names, addresses, phone numbers, and birth dates stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.

4. Howard University Hospital. Toward the end of March, Howard University Hospital in Washington D.C. notified approximately 34,503 patients of a potential disclosure of their PHI that supposedly occurred in late January. A laptop, which was password protected, was stolen from a contractor’s vehicle, yet, according to the hospital, no evidence suggested any patient files were accessed. The records stolen did contain Social Security numbers for many of the patients affected. Today, the hospital requires all laptops issued to Howard University Health Sciences employees to be encrypted.

5. St. Joseph Health System. In February, St. Joseph Health System, in California, alerted approximately 31,800 patients of a possible security breach at three of their organizations throughout the state. According to the system, security settings were “incorrect,” which allowed for the potential breach. Information accessed didn’t include Social Security numbers, addresses, or financial data, yet patients’ names and medical data were vulnerable. The records at risk were mostly for inpatients who received care from February through August of 2011. The data, the organization said, would have been available through Internet search engines from early 2011 to February 2012.

6. Indiana Internal Medicine Consultants. In early February, a stolen laptop resulted in a breach of 20,000 patient records at the Indiana Internal Medicine Consultants. The organization reported the incident about a month later, and the records were recovered. Although little information about the case exists, a lawsuit was filed as a result and an arrest was made.

7. Our Lady of the Lake Regional Medical Center. Between March 16 and March 20, a laptop was stolen from a local physician office at the Our Lady of the Lake Regional Medical Center in Baton Rouge, La. The laptop contained limited health information for more than 17,000 former ICU patients, including patient names, ages, races, and dates of admission and discharge from the ICU. The organization said there is no evidence the information had been misused, or that there was any malicious intent. As of May, the investigation was still underway.

8. Memorial Healthcare System. On January 27, Memorial Healthcare System in South Florida learned of an employee who accessed patient information, as well as a second employee who accessed patient information with the intent to process fraudulent tax returns. The organization notified 9,497 patients that information including names, dates of birth, and Social Security numbers were accessed, yet, according to their statement, no medical records were taken. Letters weren’t sent out to those affected until April 12^th, in an effort to not impede on investigations conducted by law enforcement. The two employees have since been fired.

9. The Kansas Department of Aging. In January, a laptop computer, flash drive, and paper files were stolen out of a car belonging to an employee of the Kansas Department of Aging. The Social Security numbers of approximately 100 patients were stolen, while 7,000 other seniors, and their information, were put at risk. The stolen data included names, addresses, dates of birth, gender, in-home services program participation information, Medicaid identification numbers, and more. The Social Security numbers stolen were of those patients participating in the Senior Care Act program. The organization contacted those patients via phone and sent mail notifications to all others affected.

10. The University of Arkansas for Medical Sciences. In April, the University of Arkansas for Medical Sciences investigated a breach after a document wasn’t properly redacted. Approximately 7,000 patients were affected after an unidentified physician sent financial information on a patient to someone outside of the UAMS offices in mid-February. The physician didn’t remove all identifiers of the patients, such as names, account numbers and dates of services. Of those affected, most were in the interventional radiology program at UAMS between 2009 and 2011. The man who received the information via email claimed he hadn’t released it to anyone.

Mobile device security in healthcare: Changing the mobile mindset

Please enjoy Mac’s latest mHIMSS blog post

I wanted to follow up my last post on mobile security in healthcare by bringing to light the need for a general shift in mindset in terms of how healthcare professionals are using mobile devices.

There is no question that mobile technology has become tightly integrated into most people’s personal and professional lives, with healthcare being no exception. In fact, it is very likely that a fair percentage of the current readers of this post have accessed this material on a phone, tablet or some other portable device. I get it. It is easy and it is convenient. Mobile technology allows for work on the go and instant connectivity. While it may be a difficult task for healthcare professionals to deny themselves the expedience, convenience and perpetual connectivity of mobile devices, if they wish to remain compliant with HIPAA and avoid a breach of electronic Protected Health Information (ePHI), a serious change of mindset is in order.

While some covered entities issue mobile devices (phones, laptops, tablets, etc.) which are protected with encryption and/or hosted on a secure server, many do not, and staff use personal devices in droves and subsequently introduce serious security risks. It is understandable that employees may want to use their own technology in lieu of company-issued devices, as mobile devices can absolutely provide a boost in efficiency and foster instant communication and data exchange. An increasingly common security risk that is often overlooked is introduced when clinical staff (physicians and nurses) use text messaging as a primary means of communication. Whether it is as straightforward as storing a health record on a mobile device or as innocent as sending a text message containing ePHI, most employees are focused on getting their jobs done in the most efficient manner possible and are not thinking about the breach vulnerability of their personal devices.

So then, is the change in perception and practice needed at the individual or organizational level?

The answer to this question is that both organizations and their staff need to re-examine their approaches to allowing personal non-secure devices to receive, transmit or store ePHI. While it is true that a great deal of risk can be eliminated by providing employees with encrypted devices with remote data storage and adequate access controls, many organizations simply lack the resources for such investments. Educating staff about the insecurity of mobile devices and the specific HIPAA requirements relating to those devices is clearly an essential first step for any provider organization. Ignorance of HIPAA regulations is not an excuse for a breach of protected health data and will not prevent or curb the many associated potential consequences of a breach. So as long as healthcare professionals remain uninformed about what the rules are and how to avoid breaking them, organizational risk will remain high.

Education must begin at the organizational level and should be required for all employees responsible for storing or transmitting protected data. Staff education should include an overview of HIPAA regulations, the greatest threats to mobile devices, the potential consequences of a data breach, the best security practices and organizational security policy. As far as employees are concerned, the bottom line regarding HIPAA is that any covered entity responsible for storing or transmitting protected health data must secure the information from breach, or risk financial repercussions in the 4- to 7-million-dollar range, on average. Employees must understand that because personal mobile technology is produced for the masses and not with the security of health data in mind, their iPhone or tablet is simply not adequately protected out of the box.

Organizational policy should be implemented and strictly enforced to prevent the use of insufficiently protected personal mobile devices when ePHI is in play. If staff members either insist on using or, by policy, are permitted to use their own devices, they should be required to demonstrate that all the appropriate security measures are in place, such as encryption, remote storage, access control and the ability to wipe the device clean if lost or stolen.

I am an advocate for mobile technologies and believe that there are significant advantages to be gained from their use in the healthcare industry. However, I think that we often forget that there was a time when people functioned without smart phones and the constant ability to instantly access all information. This concept goes back to my previous post and the need to discern what data we may want and what is actually needed to provide the best care in the safest manner possible.

Healthcare professionals must understand and differentiate the way that mobile technology is used in professional versus personal settings. The consequences of a breach are too significant to justify the introduction of a potential point of breach for the sake of convenience.

 

CynergisTek CEO to Speak at Two Leading Security and Standards Association Events in June

Industry Thought Leader, Mac McMillan, to Present Educational Session at NIST’s Safeguarding Health Information Conference; Keynote ISSA’s Healthcare Security Seminar  

Austin, Texas, May 31, 2012— CynergisTek™, an authority in enterprise security and privacy solutions and services for healthcare organizations, today announced that its CEO, Mac McMillan, who also serves as the Chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force has been selected as an expert healthcare privacy and security  presenter for two renowned security and standards association events in June:

• National Institute of Standards and Technology (NIST) Safeguarding Health Information: Building Assurance Through HIPAA Security – McMillan will present “View from the Cloud: Security Assurance Considerations for a Purchaser,” on Wednesday, June 6, 2012 at 12:00 p.m. EST
• Information Systems Security Association (ISSA) Capitol of Texas Chapter Healthcare Security Seminar.  McMillan will deliver the keynote presentation entitled “Keynote: Healthcare Security in the Age of EHR,” which will include two panel discussions, on Thursday, June 7, 2012 at 4:30 p.m. CST

McMillan’s educational session at the NIST conference will provide attendees with a framework for understanding best practices for ensuring secure cloud storage of protected health data, as well as, privacy and security considerations for covered entities purchasing cloud based data management solutions. At the ISSA conference, McMillan will deliver the keynote address featuring two panels comprised of healthcare security industry experts, providers and government representatives. Attendees of the ISSA seminar will gain insights into current security trends associated with the continuing digitization of healthcare resulting from growing EHR and HIE adoption, as well as, predictions for future regulations.

“I am honored to have been invited by NIST and ISSA, two highly respected organizations, to share some of the lessons that we have learned at CynergisTek over the years, and also to grow my own knowledge by having the opportunity to collaborate with other privacy and security experts,” said McMillan. “Securing digital data and cloud storage are both topics of particular interest to me as they require a flexible approach to keep up with the evolution of the technologies and regulations. I want attendees of both events to understand that with any new data storage or transmission technologies come new security threats which require innovative privacy and security practices  in order to be adequately addressed and eliminated.”

CynergisTek’s solutions and services are specifically designed to help healthcare organizations improve their security posture, facilitate compliance, advance operational efficiency and foster trust. CynergisTek’s managed and on-demand solutions address the fundamental elements of information security management, including:

• Strategy and Governance
• Compliance and Risk
• Infrastructure
• Technical Vulnerability Management
• Audit
• Managed Security Solutions

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

About NIST

Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of England, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks.

About ISSA

The Information Systems Security Association (ISSA)® is dedicated to developing and connecting cybersecurity leaders globally. ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government

 

###

 

Media Contact:

Megan Malarkey

Senior Account Executive

Aria Marketing

(617) 332-9999, x215

mmalarkey@ariamarketing.com

Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

The HIPAA Privacy Rule refers to third parties as “business associates” and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.

HIPAA’s Security Rule calls for covered entities to create contracts with business associates to ensure that the partner “will appropriately safeguard” PHI. The HITECH Act of 2009 further strengthened HIPAA’s rules regarding business associates and security obligations.

While the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.

Read John’s entire article here: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx